Cookie-Proxy: A Scheme to Prevent SSLStrip Attack

A new Man-in-the-Middle (MitM) attack called SSLStrip poses a serious threat to the security of secure socket layer protocol. Although some researchers have presented some schemes to resist such attack, until now there is still no practical countermeasure. To withstand SSLStrip attack, in this paper we propose a scheme named Cookie-Proxy, including a secure cookie protocol and a new topology structure. The topology structure is composed of a proxy pattern and a reverse proxy pattern. Experiment results and formal security proof using SVO logic show that our scheme is effective to prevent SSLStrip attack. Besides, our scheme spends little extra time cost and little extra communication cost comparing with previous secure cookie protocols.

[1]  Adam Barth,et al.  HTTP State Management Mechanism , 2011, RFC.

[2]  Peter Sommerlad Reverse Proxy Patterns , 2003, EuroPLoP.

[3]  Wouter Joosen,et al.  HProxy: Client-Side Detection of SSL Stripping Attacks , 2010, DIMVA.

[4]  Pavel Laskov,et al.  Detection of Intrusions and Malware, and Vulnerability Assessment: 19th International Conference, DIMVA 2022, Cagliari, Italy, June 29 –July 1, 2022, Proceedings , 2022, International Conference on Detection of intrusions and malware, and vulnerability assessment.

[5]  Franco Callegati,et al.  Man-in-the-Middle Attack to the HTTPS Protocol , 2009, IEEE Security & Privacy Magazine.

[6]  马春光,et al.  Cryptanalysis and Improvement of a Remote User Authentication Scheme for Resource-limited Environment , 2012 .

[7]  P. Syverson,et al.  A Unified Cryptographic Protocol Logic , 1996 .

[8]  Ding Wang,et al.  Cryptanalysis and Improvement of a Remote User Authentication Scheme for Resource-limited Environment: Cryptanalysis and Improvement of a Remote User Authentication Scheme for Resource-limited Environment , 2013 .

[9]  Mohamed G. Gouda,et al.  A secure cookie scheme , 2012, Comput. Networks.

[10]  Nick Feamster,et al.  Dos and don'ts of client authentication on the web , 2001 .

[11]  K. W. Cheung,et al.  SSLock: sustaining the trust on entities brought by SSL , 2010, ASIACCS '10.

[12]  Dongwan Shin,et al.  An empirical study of visual security cues to prevent the SSLstripping attack , 2011, ACSAC '11.

[13]  Guy Pujolle,et al.  Secure session management with cookies , 2009, 2009 7th International Conference on Information, Communications and Signal Processing (ICICS).

[14]  Chin-Tser Huang,et al.  A secure cookie protocol , 2005, Proceedings. 14th International Conference on Computer Communications and Networks, 2005. ICCCN 2005..